diff options
author | Isaac Boukris <iboukris@gmail.com> | 2020-01-16 22:00:21 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-04-15 11:56:08 +0000 |
commit | 958807109845313c35a0c6949b33ffbc09eeba59 (patch) | |
tree | cc9675cee1e1c89c56c167119766d660752ee3a3 | |
parent | 25fefdb75f50716e6ad812fd900092fb56a18647 (diff) | |
download | samba-958807109845313c35a0c6949b33ffbc09eeba59.tar.gz |
Sign and verify PAC with ticket principal instead of canon principal
With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).
However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
-rw-r--r-- | source4/kdc/mit-kdb/kdb_samba_policies.c | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 586cf81451d..2eec496fa92 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata ***signed_auth_data) { #endif - krb5_const_principal ks_client_princ; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; krb5_error_code code; @@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; #endif - /* Prefer canonicalised name from client entry */ - if (client != NULL) { - ks_client_princ = client->princ; - } else { - ks_client_princ = client_princ; - } - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { @@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, if (!is_as_req) { code = ks_verify_pac(context, flags, - ks_client_princ, + client_princ, client, server, krbtgt, @@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, goto done; } - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, + code = krb5_pac_sign(context, pac, authtime, client_princ, server_key, krbtgt_key, &pac_data); if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); |